From Risk Transfer to Risk Mitigation in Contract Design ...
84
Intro Risk Quantification Policy Portfolio Examples Discussion From Risk Transfer to Risk Mitigation in Contract Design: Cyber Insurance as an Incentive Mechanism for Cybersecurity Mingyan Liu University of Michigan, Ann Arbor Joint work with Yang Liu, Armin Sarabi, Parinaz Naghizadeh, Mohammad Mahdi Khalili M. Liu (U. Michigan) Cybersecurity 1 / 42
Transcript of From Risk Transfer to Risk Mitigation in Contract Design ...
Intro Risk Quantification Policy Portfolio Examples Discussion
From Risk Transfer to Risk Mitigation inContract Design: Cyber Insurance as an Incentive
Mechanism for Cybersecurity
Mingyan Liu
University of Michigan, Ann Arbor
Joint work with
Yang Liu, Armin Sarabi, Parinaz Naghizadeh, Mohammad Mahdi Khalili
M. Liu (U. Michigan) Cybersecurity 1 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Threats to Internet security and availability
From unintentional to intentional, random to financially driven:
• misconfiguration
• mismanagement
• botnets, worms, SPAM, DoS attacks, . . .
Typical countermeasures are host based:
• blacklisting malicious hosts; used for filtering/blocking
• installing solutions on individual hosts, e.g., intrusion detection
Also heavily detection based:
• Even when successful, could be too late
• Damage control post breach
M. Liu (U. Michigan) Cybersecurity 2 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Our vision
To assess networks as a whole, not individual hosts
• a network is typically governed by consistent policies• changes in system administration on a larger time scale• changes in resource and expertise on a larger time scale
• consistency (though dynamic) leads to predictability
From a policy perspective:
• leads to proactive security policies and enables incentive mechanisms
• many of which can only be applied at a network/org level.
The difference between understanding security and understanding risk
M. Liu (U. Michigan) Cybersecurity 3 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
A risk quantification and incentive framework
M. Liu (U. Michigan) Cybersecurity 4 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
An incident forecasting framework
Follow a supervised learning framework:
• Mismanagement and malicious activities used to extract features.
• Incident reports used to generate labels for training and testing.
Key properties:
• Scalability: we rely solely on externally observed data.
• Robustness: reduce the impact of noise by using a diverse set ofdata that captures different aspects of security posture.
M. Liu (U. Michigan) Cybersecurity 5 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Malicious activity time series.
• Three time series over a period: spam, phishing, scan.
• Recent 60 v.s. Recent 14.
10 20 30 40 50 600
1
2
3
4
Days10 20 30 40 50 60
400
600
800
1k
Days10 20 30 40 50 60
2k
4k
6k
8k
10k
Days
Secondary features
• Measuring persistence and responsiveness.
M. Liu (U. Michigan) Cybersecurity 6 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The output of the classifier
M. Liu (U. Michigan) Cybersecurity 7 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The output of the classifier
M. Liu (U. Michigan) Cybersecurity 8 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Top data breaches of 2015-16
0 0.2 0.4 0.6 0.8 1Predictor output
0
0.2
0.4
0.6
0.8
1
CD
F
Non-victim setVCDB victim set
OPM
Scottrade
T-Mobile
Experian Anthem
PSU
M. Liu (U. Michigan) Cybersecurity 9 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Prediction performance
0.1 0.2 0.3 0.4 0.50.4
0.5
0.6
0.7
0.8
0.9
1
False positive
Tru
e po
sitiv
e
VCDBHackmageddonWHIDALL
Example of desirable operating points of the classifier:
Accuracy Hackmageddon VCDB WHID All
True Positive (TP) 96% 88% 80% 88%False Positive (FP) 10% 10% 5% 4%
M. Liu (U. Michigan) Cybersecurity 10 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Fine-grained prediction
Conditional density estimation
• Risk profiles for sample organizations and their correspondingindustries.
Organization Error
Hacking
Malware Misuse
Physical
SocialComp.Other Theft Other
Cred.
Information
Russian Radio ×Verizon ×
Public Administration
Macon Bibb County ×Internal Revenue Service ×
• Gray cells signify incident types with high risk;
• Crosses indicate the actual incident.
M. Liu (U. Michigan) Cybersecurity 11 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
A risk quantification and incentive framework
M. Liu (U. Michigan) Cybersecurity 12 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
What is an insurance contract?
A principal-agent problem:
• Risk averse agent (wants to minimize uncertainty)
• Risk neutral and profit maximizing insurer
• Participation is voluntary
Insurer - profitmaximizer
Agent -risk averse
Contracts (under information asymmetry)
Premium + Risk transfer
• Moral hazard:Unobservable actions
• Adverse selection:Unobservable types
M. Liu (U. Michigan) Cybersecurity 13 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
What is an insurance contract?
A principal-agent problem:
• Risk averse agent (wants to minimize uncertainty)
• Risk neutral and profit maximizing insurer
• Participation is voluntary
Insurer - profitmaximizer
Agent -risk averse
Contracts (under information asymmetry)
Premium + Risk transfer
• Moral hazard:Unobservable actions
• Adverse selection:Unobservable types
M. Liu (U. Michigan) Cybersecurity 13 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Current state of the market
• Over 70 carriers around the world offering cyber insurance
• Total premiums estimated $10B in 2020, to grow to $15B in anotherfew years
• Premiums $700 - $50M, coverage limits $500k - $500M
• Coverage typically includes:• Direct first-party costs (e.g. forensic investigations)• Liability and third-party claims (e.g. legal defense)• Add ons: business interruption costs, compensation against social
engineering attacks, etc.
Sources: The Betterley Report 2016; NetDiligence 2016 Cyber Claims Study; Marsh Cyber Insurance Solutions Report; Wells Fargo 2016Network Security and Data Privacy Study.
M. Liu (U. Michigan) Cybersecurity 14 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Unique characteristics of cyber risks
In addition to moral hazard:
• Main challenge (1/2): limited actuarial data and lack of domainknowledge to determine risk and liability
• Main challenge (2/2): Cyber risks are heavily interdependent• Outsourcing leads to large number of vendors/suppliers• Third- and fourth-party risks• Think of what happens when AWS goes down
• Main challenge (3): Fast-changing cyber risk landscape compared toother risks
• Set off by geopolitical events• Copycats following major hacks• Cyber vigilantism, . . .
• Risks as well as risk controls are man-made
M. Liu (U. Michigan) Cybersecurity 15 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Reminder of the talk
• An incident forecasting framework and results• As a way to quantify security posture and security risks• A supervised learning approach• Aimed at addressing moral hazard
• Designing sound cyber insurance policies using these quantitativeframeworks
• Single agent: risk transfer and moral hazard• Two dependent agents: risk dependency and the use of pre-screening• Realistic portfolio comparison
M. Liu (U. Michigan) Cybersecurity 16 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: a single risk-averse agent
• Agent chooses effort level e ∈ R≥0, with unit cost c > 0
• Loss is a random variable Le ∼ N (µ(e), λ(e))
• Agent’s utility is given by
U(e) = − exp{−γ · (−Le − ce)} .
Here, γ > 0 is the agent’s risk attitude.
• Agent can getUo := max
e≥0U(e)
outside a contract, with effort eo .
M. Liu (U. Michigan) Cybersecurity 17 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: security pre-screening
• Insurer pre-screens the agent, observes Se = e + W , whereW ∼ N (0, σ2), and σ2 is accuracy of pre-screening.
• Insurer offers a linear contract (p, α, β): base premium, discountfactor, coverage factor.
• Insurer’s payoff is
V (p, α, β, e) = p − αSe − βLe .
• Agent gets utility
U(p, α, β, e) = − exp{−γ · (−p + αSe − Le + βLe − ce)}
inside a contract.
M. Liu (U. Michigan) Cybersecurity 18 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Insurer’s contract design problem
Choose parameters of the contract so as to
• ensure purchase by the agent (Individual Rationality)
• induce desired effort level by agent (Incentive Compatibility)
maxp≥0,α≥0,0≤β≤1
E[p − αSe − βLe ]
s.t. (IR) E[U(p, α, β, e)] ≥ Uo ,
(IC) e ∈ arg maxe′≥0
E[U(p, α, β, e′)] .
• How do the insurer’s profit and optimal e change with σ2?
M. Liu (U. Michigan) Cybersecurity 19 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Contract for single agent with pre-screening
Theorem (better pre-screening increases insurer’s profit):The insurer’s profit is increasing in the quality of pre-screening.
Theorem (better pre-screening improves network security):Agent’s effort under optimal contract, e(σ) is decreasing in σ.
Interpretation of the results
• Better pre-screening helps better mitigate moral hazard; improvesinsurer’s profit and network security.
• Note however, e(σ) ≤ eo .
M. Liu (U. Michigan) Cybersecurity 20 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: two interdependent risk-averse agents
• Two agents with risk aversion attitudes γ1, γ2, and effort costs c1, c2.
• Agent i faces a loss Lie1,e2∼ N (µ(ei + xe−i ), λ(ei + xe−i ));
x is the interdependence factor.
• Key difference from single agent case: outside options
• Outside option for agent i is unilateral deviation from buying thecontract
• Agent −i is still offered a contract, which he may or may notpurchase
M. Liu (U. Michigan) Cybersecurity 21 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: two interdependent risk-averse agents
• Two agents with risk aversion attitudes γ1, γ2, and effort costs c1, c2.
• Agent i faces a loss Lie1,e2∼ N (µ(ei + xe−i ), λ(ei + xe−i ));
x is the interdependence factor.
• Key difference from single agent case: outside options
• Outside option for agent i is unilateral deviation from buying thecontract
• Agent −i is still offered a contract, which he may or may notpurchase
M. Liu (U. Michigan) Cybersecurity 21 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: two interdependent risk-averse agents
• Two agents with risk aversion attitudes γ1, γ2, and effort costs c1, c2.
• Agent i faces a loss Lie1,e2∼ N (µ(ei + xe−i ), λ(ei + xe−i ));
x is the interdependence factor.
• Key difference from single agent case: outside options
• Outside option for agent i is unilateral deviation from buying thecontract
• Agent −i is still offered a contract, which he may or may notpurchase
M. Liu (U. Michigan) Cybersecurity 21 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Contracts for two agents with pre-screeningTheorem (better pre-screening can increase insurer’s profit):Conditions exist for profit to increase with the quality of pre-screening ofeither agent.
Theorem (better pre-screening can improve network security):ei (σ): optimal in-contract effort of agent i with pre-screening accuracy σ.Conditions exist for(1) e1(σ) + e2(σ) to decrease in σ, and(2) e1(σ) + e2(σ) > eo1 + eo2 .
Interpretation of the results
• As in the single-agent case, pre-screening mitigates moral hazard.
• But pre-screening does something else besides this.• Interdependence means inefficient effort level at equilibrium.• When both agree to participate, effort becomes “cheaper”.
• The gap in efficiency ⇒ profit gap; pre-screening allows the insurerto take advantage of it by “selling commitment”.
M. Liu (U. Michigan) Cybersecurity 22 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Contracts for two agents with pre-screeningTheorem (better pre-screening can increase insurer’s profit):Conditions exist for profit to increase with the quality of pre-screening ofeither agent.
Theorem (better pre-screening can improve network security):ei (σ): optimal in-contract effort of agent i with pre-screening accuracy σ.Conditions exist for(1) e1(σ) + e2(σ) to decrease in σ, and(2) e1(σ) + e2(σ) > eo1 + eo2 .
Interpretation of the results
• As in the single-agent case, pre-screening mitigates moral hazard.
• But pre-screening does something else besides this.• Interdependence means inefficient effort level at equilibrium.• When both agree to participate, effort becomes “cheaper”.
• The gap in efficiency ⇒ profit gap; pre-screening allows the insurerto take advantage of it by “selling commitment”.
M. Liu (U. Michigan) Cybersecurity 22 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Contracts for two agents with pre-screeningTheorem (better pre-screening can increase insurer’s profit):Conditions exist for profit to increase with the quality of pre-screening ofeither agent.
Theorem (better pre-screening can improve network security):ei (σ): optimal in-contract effort of agent i with pre-screening accuracy σ.Conditions exist for(1) e1(σ) + e2(σ) to decrease in σ, and(2) e1(σ) + e2(σ) > eo1 + eo2 .
Interpretation of the results
• As in the single-agent case, pre-screening mitigates moral hazard.
• But pre-screening does something else besides this.• Interdependence means inefficient effort level at equilibrium.• When both agree to participate, effort becomes “cheaper”.
• The gap in efficiency ⇒ profit gap; pre-screening allows the insurerto take advantage of it by “selling commitment”.
M. Liu (U. Michigan) Cybersecurity 22 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Contracts for two agents with pre-screeningTheorem (better pre-screening can increase insurer’s profit):Conditions exist for profit to increase with the quality of pre-screening ofeither agent.
Theorem (better pre-screening can improve network security):ei (σ): optimal in-contract effort of agent i with pre-screening accuracy σ.Conditions exist for(1) e1(σ) + e2(σ) to decrease in σ, and(2) e1(σ) + e2(σ) > eo1 + eo2 .
Interpretation of the results
• As in the single-agent case, pre-screening mitigates moral hazard.
• But pre-screening does something else besides this.• Interdependence means inefficient effort level at equilibrium.• When both agree to participate, effort becomes “cheaper”.
• The gap in efficiency ⇒ profit gap; pre-screening allows the insurerto take advantage of it by “selling commitment”.
M. Liu (U. Michigan) Cybersecurity 22 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Does this have anything to do with risk aversion?
A single, monopolistic, profit-maximizing insurer:
• Risk neutral agent: U(e) = −Le − ce.
• Risk averse agent: U(e) = − exp{−γ(−Le − ce)}.
InsurerAgent -
risk averse
Contract
Profit (Premium > Risk transfer)
InsurerAgent -
risk neutral
No contract
No Transfer
• Contract reduces agent’s effort; security worsens
M. Liu (U. Michigan) Cybersecurity 23 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The answer is no . . .
Two risk neutral agents:
Ui (e1, e2) = −µ(ei + xe−i )− ciei .
Insurer
Agent 1-risk averse
Contracts to both agents
Agent 2-risk averse
Profit (Premiums > Risk transfer)
Insurer
Agent 1-risk neutral
Contracts to both agents
Agent 2-risk neutral
Profit (Efforts now cheaper)
M. Liu (U. Michigan) Cybersecurity 24 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
New types of policy
Taking vendor relationship and risk dependency into account
• Embracing risk dependency rather than running away from it
• Key is to control risk rather than simply transferring risk
• Mutually beneficial
Next we’ll take a look at the actual underwriting in a practical setting
• The example of a service provider (SP) with many customers:• cloud, network infrastructure, application hosting, etc.• Each customer’s operation depends not only its own actions but that
of the SP’s; e.g., incident to the latter can cause businessinterruption/losses to the former.
M. Liu (U. Michigan) Cybersecurity 25 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Specific question
Consider three portfolio types:
Analyze the difference in carrier’s profit and in the overall security level:
• we will rely on an actual cyber-insurance policy rate schedule.
M. Liu (U. Michigan) Cybersecurity 26 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Underwriting using a rate scheduleBase premium and base retention for $1M in coverage (financial firms):
Asset Size Base Premium Base Retention$0 to $ 100,000,000 $5,000 $25,000
$100,000,001 to $250,000,000 $7,000 $25,000$250,000,001 to $500,000,000 $8,500 $50,000
$500,000,001 to $1,000,000,000 $11,000 $100,000
.
.
....
.
.
.
• Industry Factor
• Retention Factor
• Increased limit factor
• Co-insurance factor
• First/Third-party modifier factors (Cybersecurity factors)
• Optional coverage grants such as privacy costs or crisis management.
M. Liu (U. Michigan) Cybersecurity 27 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Underwriting using a rate scheduleBase premium and base retention $1M in coverage (non-financial firms):
Annual Revenue Base Premium Base Retention$0 to $5,000,000 $5,000 $25,000
$5,000,001 to $10,000,000 $7,500 $25,000$10,000,001 to $25,000,000 $11,500 $25,000$25,000,001 to $50,000,000 $16,500 $50,000
.
.
....
.
.
.
• Industry Factor
• Retention Factor
• Increased limit factor
• Co-insurance factor
• First/Third-party modifier factors (Cybersecurity factors)
• Optional coverage grants such as privacy costs or crisis management.
M. Liu (U. Michigan) Cybersecurity 27 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Underwriting using a rate schedule
The base rate is then multiplied by a number of factors:
• Industry FactorIndustry Factor
Agriculture 0.85Construction 0.85Not-for-Profit Organizations 1.00Technology Service Providers 1.2Telecommunications 1.2
• Retention Factor
• Increased limit factor
• Co-insurance factor
• First/Third-party modifier factors (Cybersecurity factors)
• Optional coverage grants such as privacy costs or crisis management.
M. Liu (U. Michigan) Cybersecurity 27 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Underwriting using a rate schedule
The base rate is then multiplied by a number of factors:
• Industry Factor
• Retention FactorSelected Base Retention
Retention $25,000 $100,000 $500,000 $1000,000$25,000 1.00 1.16 1.34 1.47
$100,000 0.87 1.00 1.16 1.27$500,000 0.75 0.87 1.00 1.10
$1,000,000 0.68 0.79 0.91 1.00
• Increased limit factor
• Co-insurance factor
• First/Third-party modifier factors (Cybersecurity factors)
• Optional coverage grants such as privacy costs or crisis management.
M. Liu (U. Michigan) Cybersecurity 27 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Underwriting using a rate schedule
The base rate is then multiplied by a number of factors:
• Industry Factor
• Retention Factor
• Increased limit factorCoverage Limit Increased Limit Factor
$1,000,000 1.000$2,500,000 1.865$5,000,000 2.987
$10,000,000 4.786$25,000,000 8.925
• Co-insurance factor
• First/Third-party modifier factors (Cybersecurity factors)
• Optional coverage grants such as privacy costs or crisis management.
M. Liu (U. Michigan) Cybersecurity 27 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Underwriting using a rate schedule
The base rate is then multiplied by a number of factors:
• Industry Factor
• Retention Factor
• Increased limit factor
• Co-insurance factor
• First/Third-party modifier factors (Cybersecurity factors)
• Optional coverage grants such as privacy costs or crisis management.
M. Liu (U. Michigan) Cybersecurity 27 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Underwriting using a rate schedule
The base rate is then multiplied by a number of factors:
• Industry Factor
• Retention Factor
• Increased limit factor
• Co-insurance factor
• First/Third-party modifier factors (Cybersecurity factors)
• Optional coverage grants such as privacy costs or crisis management.
M. Liu (U. Michigan) Cybersecurity 27 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Underwriting using a rate schedule
The base rate is then multiplied by a number of factors:
• Industry Factor
• Retention Factor
• Increased limit factor
• Co-insurance factor
• First/Third-party modifier factors (Cybersecurity factors)
• Optional coverage grants such as privacy costs or crisis management.
M. Liu (U. Michigan) Cybersecurity 27 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
An example
A non-financial Technology Service Provider with annual revenue $6Mpurchasing a policy with retention $100,000 and coverage limit $2.5M,with additional coverage for privacy notification & crisis management.
• Base premium: $7,500; Base retention: $25,000 (for $1M limit)
• Industry factor: 1.2.
• Retention factor: 0.87.
• Limit factor: 1.865.
• First/Third-party modifier factor: 1.
• Co-insurance factor: 1.
• Privacy notification: 0.15 (for base premium/retention)
• Crisis management: 0.02 (for base premium/retention)
Total premium:(7500)(1.2)(0.87)(1.865)(1)(1) + (7500)(0.15 + 0.02) = $15, 877.95
M. Liu (U. Michigan) Cybersecurity 28 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
An example
A non-financial Technology Service Provider with annual revenue $6Mpurchasing a policy with retention $100,000 and coverage limit $2.5M,with additional coverage for privacy notification & crisis management.
• Base premium: $7,500; Base retention: $25,000 (for $1M limit)
• Industry factor: 1.2.
• Retention factor: 0.87.
• Limit factor: 1.865.
• First/Third-party modifier factor: 1.
• Co-insurance factor: 1.
• Privacy notification: 0.15 (for base premium/retention)
• Crisis management: 0.02 (for base premium/retention)
Total premium:(7500)(1.2)(0.87)(1.865)(1)(1) + (7500)(0.15 + 0.02) = $15, 877.95
M. Liu (U. Michigan) Cybersecurity 28 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
An example
A non-financial Technology Service Provider with annual revenue $6Mpurchasing a policy with retention $100,000 and coverage limit $2.5M,with additional coverage for privacy notification & crisis management.
• Base premium: $7,500; Base retention: $25,000 (for $1M limit)
• Industry factor: 1.2.
• Retention factor: 0.87.
• Limit factor: 1.865.
• First/Third-party modifier factor: 1.
• Co-insurance factor: 1.
• Privacy notification: 0.15 (for base premium/retention)
• Crisis management: 0.02 (for base premium/retention)
Total premium:(7500)(1.2)(0.87)(1.865)(1)(1) + (7500)(0.15 + 0.02) = $15, 877.95
M. Liu (U. Michigan) Cybersecurity 28 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
First-party/Cybersecurity modifier factor
• InfoSec security policy• Does the insured maintain an information systems security policy?• Is it kept current/reviewed at least annually/updated as necessary?• YES to 2 of the above (0.8-0.9), 1 (0.95-1.05), 0 (1.1-1.2).
• Laptop security policy• Does the insured have a laptop security policy?• Yes (0.8-0.9), N/A (1), No (1.1-1.2)
• Web server security• Is sensitive data stored on web servers?• No (0.9-1), Yes (1.1-1.2)
• Disaster recovery
M. Liu (U. Michigan) Cybersecurity 29 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
First-party/Cybersecurity modifier factor
• InfoSec security policy• Does the insured maintain an information systems security policy?• Is it kept current/reviewed at least annually/updated as necessary?• YES to 2 of the above (0.8-0.9), 1 (0.95-1.05), 0 (1.1-1.2).
• Laptop security policy• Does the insured have a laptop security policy?• Yes (0.8-0.9), N/A (1), No (1.1-1.2)
• Web server security• Is sensitive data stored on web servers?• No (0.9-1), Yes (1.1-1.2)
• Disaster recovery
M. Liu (U. Michigan) Cybersecurity 29 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
First-party/Cybersecurity modifier factor
• InfoSec security policy• Does the insured maintain an information systems security policy?• Is it kept current/reviewed at least annually/updated as necessary?• YES to 2 of the above (0.8-0.9), 1 (0.95-1.05), 0 (1.1-1.2).
• Laptop security policy• Does the insured have a laptop security policy?• Yes (0.8-0.9), N/A (1), No (1.1-1.2)
• Web server security• Is sensitive data stored on web servers?• No (0.9-1), Yes (1.1-1.2)
• Disaster recovery
M. Liu (U. Michigan) Cybersecurity 29 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Third-party modifier factor
• Website third-party service provider• Is a written agreement in place between the insured and the provider?• Does the agreement require a level of security commensurate with
the insured’s information systems security policy?• Does the insured review the results of the most recent SAS 70 or
commensurate risk assessment?• YES to N/A (1), 3 (0.8-0.9), 2 (0.91-0.99), 3 (1-1.05), 4 (1.06-1.15)
• Application service provider
• Infrastructure operations third-party provider
• Backup & archiving third-party provider
M. Liu (U. Michigan) Cybersecurity 30 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Observations
The third-party modifier factor is not actually third-party risk specific,and it should be.
• Using risk quantification methods presented earlier:• it can be estimated externally for Portfolio C;• it is available to the underwriter for Portfolios A (becomes
first-party) and B.
• The analysis will now proceed by ignoring all other factors.
M. Liu (U. Michigan) Cybersecurity 31 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Observations
The third-party modifier factor is not actually third-party risk specific,and it should be.
• Using risk quantification methods presented earlier:
• it can be estimated externally for Portfolio C;• it is available to the underwriter for Portfolios A (becomes
first-party) and B.
• The analysis will now proceed by ignoring all other factors.
M. Liu (U. Michigan) Cybersecurity 31 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Observations
The third-party modifier factor is not actually third-party risk specific,and it should be.
• Using risk quantification methods presented earlier:• it can be estimated externally for Portfolio C;
• it is available to the underwriter for Portfolios A (becomesfirst-party) and B.
• The analysis will now proceed by ignoring all other factors.
M. Liu (U. Michigan) Cybersecurity 31 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Observations
The third-party modifier factor is not actually third-party risk specific,and it should be.
• Using risk quantification methods presented earlier:• it can be estimated externally for Portfolio C;• it is available to the underwriter for Portfolios A (becomes
first-party) and B.
• The analysis will now proceed by ignoring all other factors.
M. Liu (U. Michigan) Cybersecurity 31 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Observations
The third-party modifier factor is not actually third-party risk specific,and it should be.
• Using risk quantification methods presented earlier:• it can be estimated externally for Portfolio C;• it is available to the underwriter for Portfolios A (becomes
first-party) and B.
• The analysis will now proceed by ignoring all other factors.
M. Liu (U. Michigan) Cybersecurity 31 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: Portfolio A
Service provider (SP):
• Base Premium bo• Retention do• Cyber risk factor fo
• Incentive factor f ′o• Pays bo · (fo − f ′o ) as premium.
• SP’s probability of suffering a loss is Po(fo − f ′o ) where Po(.) is anincreasing and convex function.
• Gets coverage (Lo − do)+ upon an incident with loss amount Lo .
M. Liu (U. Michigan) Cybersecurity 32 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: Portfolio A
Service provider (SP):
• Base Premium bo• Retention do• Cyber risk factor fo• Incentive factor f ′o
• Pays bo · (fo − f ′o ) as premium.
• SP’s probability of suffering a loss is Po(fo − f ′o ) where Po(.) is anincreasing and convex function.
• Gets coverage (Lo − do)+ upon an incident with loss amount Lo .
M. Liu (U. Michigan) Cybersecurity 32 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: Portfolio A
Service provider (SP):
• Base Premium bo• Retention do• Cyber risk factor fo• Incentive factor f ′o• Pays bo · (fo − f ′o ) as premium.
• SP’s probability of suffering a loss is Po(fo − f ′o ) where Po(.) is anincreasing and convex function.
• Gets coverage (Lo − do)+ upon an incident with loss amount Lo .
M. Liu (U. Michigan) Cybersecurity 32 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: Portfolio A
Service provider (SP):
• Base Premium bo• Retention do• Cyber risk factor fo• Incentive factor f ′o• Pays bo · (fo − f ′o ) as premium.
• SP’s probability of suffering a loss is Po(fo − f ′o ) where Po(.) is anincreasing and convex function.
• Gets coverage (Lo − do)+ upon an incident with loss amount Lo .
M. Liu (U. Michigan) Cybersecurity 32 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: Portfolio A
Service provider (SP):
• Base Premium bo• Retention do• Cyber risk factor fo• Incentive factor f ′o• Pays bo · (fo − f ′o ) as premium.
• SP’s probability of suffering a loss is Po(fo − f ′o ) where Po(.) is anincreasing and convex function.
• Gets coverage (Lo − do)+ upon an incident with loss amount Lo .
Insurer’s expected utility as function of f ′o :
V o(f ′o ) = bo · (fo − f ′o )− Po(fo − f ′o ) · E{(Lo − do)+}︸ ︷︷ ︸lo
M. Liu (U. Michigan) Cybersecurity 32 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: Portfolio B
SP’s customer i :
• Base premium bi ; Retention di .
• Cyber risk factor fi , uniformly distributed in [fmin, fmax ].
• Pays bi · fi in premium.
• Gets coverage (Li − di )+ upon an incident with loss amount Li .
• If an incident happens to SP, with probability t it affects i .
• An incident can occur to i not due to SP with probability Pi (fi ).
• The total probability of a loss incident for i :
Pli (f′o , fi ) = Pi (fi ) + t · Po(fo − f ′o ) · (1− Pi (fi ))
M. Liu (U. Michigan) Cybersecurity 33 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: Portfolio B
SP’s customer i :
• Base premium bi ; Retention di .
• Cyber risk factor fi , uniformly distributed in [fmin, fmax ].
• Pays bi · fi in premium.
• Gets coverage (Li − di )+ upon an incident with loss amount Li .
• If an incident happens to SP, with probability t it affects i .
• An incident can occur to i not due to SP with probability Pi (fi ).
• The total probability of a loss incident for i :
Pli (f′o , fi ) = Pi (fi ) + t · Po(fo − f ′o ) · (1− Pi (fi ))
M. Liu (U. Michigan) Cybersecurity 33 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: Portfolio B
SP’s customer i :
• Base premium bi ; Retention di .
• Cyber risk factor fi , uniformly distributed in [fmin, fmax ].
• Pays bi · fi in premium.
• Gets coverage (Li − di )+ upon an incident with loss amount Li .
• If an incident happens to SP, with probability t it affects i .
• An incident can occur to i not due to SP with probability Pi (fi ).
• The total probability of a loss incident for i :
Pli (f′o , fi ) = Pi (fi ) + t · Po(fo − f ′o ) · (1− Pi (fi ))
Insurer’s utility from i as function of f ′o :
V i (f′o ) = bi
fmin + fmax
2− Efi [Pli (f
′o , fi )] · li
M. Liu (U. Michigan) Cybersecurity 33 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: Portfolio C
Portfolio Type C: insure only customers; recover loss from the SP’spolicy.
• Third-party (SP) insurer profit:
Uo(f ′o ) = bo · (fo − f ′o )− Po(fo − f ′o ) · lo−
∑i
q · [t · Po(fo − f ′o )] · [1− Pi (fi )] · li
• q: the probability of attributing the loss to the SP.
• Primary party (i) insurer profit:
U i (f′o ) = bi · fi − {Pi (fi ) + (1− q) · [t · Po(fo − f ′o )] · [1− Pi (fi )]} · li
M. Liu (U. Michigan) Cybersecurity 34 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: Portfolio C
Portfolio Type C: insure only customers; recover loss from the SP’spolicy.
• Third-party (SP) insurer profit:
Uo(f ′o ) = bo · (fo − f ′o )− Po(fo − f ′o ) · lo−
∑i
q · [t · Po(fo − f ′o )] · [1− Pi (fi )] · li
• q: the probability of attributing the loss to the SP.
• Primary party (i) insurer profit:
U i (f′o ) = bi · fi − {Pi (fi ) + (1− q) · [t · Po(fo − f ′o )] · [1− Pi (fi )]} · li
M. Liu (U. Michigan) Cybersecurity 34 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: Portfolio C
Portfolio Type C: insure only customers; recover loss from the SP’spolicy.
• Third-party (SP) insurer profit:
Uo(f ′o ) = bo · (fo − f ′o )− Po(fo − f ′o ) · lo−
∑i
q · [t · Po(fo − f ′o )] · [1− Pi (fi )] · li
• q: the probability of attributing the loss to the SP.
• Primary party (i) insurer profit:
U i (f′o ) = bi · fi − {Pi (fi ) + (1− q) · [t · Po(fo − f ′o )] · [1− Pi (fi )]} · li
M. Liu (U. Michigan) Cybersecurity 34 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
The model: comparison
• Portfolio Af ∗o = arg max
f ′oV o(f ′o )
• Portfolio B
f ∗∗o = arg maxf ′o
V o(f ′o ) +∑i
V i (f′o )
• Portfolio C
f ∗∗∗o = arg maxf ′o
Uo(f ′o )
M. Liu (U. Michigan) Cybersecurity 35 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Main Results
• f ∗∗ ≥ f ∗∗∗ ≥ f ∗ – the insurer offers higher incentive to reduce theSP’s risk when it insures both the SP and its customers.
• The incentive, f ∗∗, is increasing in n, the number of SP’s customers.
• The profit maximizing strategy is to insure both the SP and itscustomers (Portfolio B): V o(f ∗∗) +
∑i V i (f
∗∗) ≥∑
i U i (f∗∗∗)
• Portfolio B also yields the highest social welfare.
M. Liu (U. Michigan) Cybersecurity 36 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Main Results
• f ∗∗ ≥ f ∗∗∗ ≥ f ∗ – the insurer offers higher incentive to reduce theSP’s risk when it insures both the SP and its customers.
• The incentive, f ∗∗, is increasing in n, the number of SP’s customers.
• The profit maximizing strategy is to insure both the SP and itscustomers (Portfolio B): V o(f ∗∗) +
∑i V i (f
∗∗) ≥∑
i U i (f∗∗∗)
• Portfolio B also yields the highest social welfare.
M. Liu (U. Michigan) Cybersecurity 36 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Main Results
• f ∗∗ ≥ f ∗∗∗ ≥ f ∗ – the insurer offers higher incentive to reduce theSP’s risk when it insures both the SP and its customers.
• The incentive, f ∗∗, is increasing in n, the number of SP’s customers.
• The profit maximizing strategy is to insure both the SP and itscustomers (Portfolio B): V o(f ∗∗) +
∑i V i (f
∗∗) ≥∑
i U i (f∗∗∗)
• Portfolio B also yields the highest social welfare.
M. Liu (U. Michigan) Cybersecurity 36 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Main Results
• f ∗∗ ≥ f ∗∗∗ ≥ f ∗ – the insurer offers higher incentive to reduce theSP’s risk when it insures both the SP and its customers.
• The incentive, f ∗∗, is increasing in n, the number of SP’s customers.
• The profit maximizing strategy is to insure both the SP and itscustomers (Portfolio B): V o(f ∗∗) +
∑i V i (f
∗∗) ≥∑
i U i (f∗∗∗)
• Portfolio B also yields the highest social welfare.
M. Liu (U. Michigan) Cybersecurity 36 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Main Results
• f ∗∗ ≥ f ∗∗∗ ≥ f ∗ – the insurer offers higher incentive to reduce theSP’s risk when it insures both the SP and its customers.
• The incentive, f ∗∗, is increasing in n, the number of SP’s customers.
• The profit maximizing strategy is to insure both the SP and itscustomers (Portfolio B): V o(f ∗∗) +
∑i V i (f
∗∗) ≥∑
i U i (f∗∗∗)
• Portfolio B also yields the highest social welfare.
M. Liu (U. Michigan) Cybersecurity 36 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Loss Probability FunctionsIntention is to capture different types of shapes
Po(fo − f ′o ) =0.05
bo (1.2−(fo−f ′o ))
1000 + 1(blue) (1)
Po(fo − f ′o ) =0.05
(1 + exp(bo ·(1.2−(fo−f ′o ))
1000 − 20))(red) (2)
Po(fo − f ′o ) =5
1000+ 0.05 · exp(−
bo · (1.2− (fo − f ′o ))
1000) (yellow) (3)
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
Incentive Factor for Service Provider (f'o)
0
0.01
0.02
0.03
0.04
0.05
0.06Probability of an Loss Incident for Service Provider
M. Liu (U. Michigan) Cybersecurity 37 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Numerical Example
• An SP and a single customer, both of large revenue.
• bo = b1 = $52, 000 and do = d1 = $250, 000.
• Use loss model 1 (convex decreasing) and fo = 1.2.
• Loss of each insured is log-normally distributed with a mean$5,965,571 and median $3,326,313 (NetDiligence 2016-17 report).
Cases Median ($) Mean ($)Nano Revenue (¡ $50M) 52 49,000 215,297
Micro Revenue ($50M - $300M ) 31 88,154 487,411Small Revenue ($300M - $2B) 15 118,671 599,907
Mid Revenue ($2B - $10B) 9 91,457 173,851Large-Revenue ($10B - $100B) 8 3,326,313 5,965,571
M. Liu (U. Michigan) Cybersecurity 38 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Numerical Example
0 0.2 0.4 0.6 0.8 1
Incentive Factor f'
0
-10
0
10
20
30
40
Th
ou
sa
nd
s D
olla
rs
(a) Profit (t = 0.5)
0 0.2 0.4 0.6 0.8 1
t
0
0.5
1
1.5
2
2.5
3
Th
ou
sa
nd
s D
olla
rs
(b) ... as a function of t
0 0.2 0.4 0.6 0.8 1
t
0.3
0.32
0.34
0.36
0.38
0.4
0.42
0.44
Optim
al In
centive F
acto
r
(c) Optimal incentive
M. Liu (U. Michigan) Cybersecurity 39 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Is the premium discount sufficient?
• Consider a non-financial technology service provider firm with annualrevenue $6M.
• Base premium bo = $7, 500.
• We will assume the firm is assessed with fo = 1.2.
• If the insurer sets f ′o = 0.35, the SP receives bo · 0.35 = $2, 625 indiscount.
• An IT security personnel with a BS degree, 5 years of experience,with salary of $85K:
$2625
$85000× 50 working weeks = 1.5 weeks
• Is this sufficient?
• Maybe yes, maybe no (it reduces the risk by 10−9 (model 2), 0.05(model 3)).
• Mismatch could stem from the loss functions.• Just as likely: base premiums are out of touch to begin with.
M. Liu (U. Michigan) Cybersecurity 40 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Is the premium discount sufficient?
• Consider a non-financial technology service provider firm with annualrevenue $6M.
• Base premium bo = $7, 500.
• We will assume the firm is assessed with fo = 1.2.
• If the insurer sets f ′o = 0.35, the SP receives bo · 0.35 = $2, 625 indiscount.
• An IT security personnel with a BS degree, 5 years of experience,with salary of $85K:
$2625
$85000× 50 working weeks = 1.5 weeks
• Is this sufficient?
• Maybe yes, maybe no (it reduces the risk by 10−9 (model 2), 0.05(model 3)).
• Mismatch could stem from the loss functions.• Just as likely: base premiums are out of touch to begin with.
M. Liu (U. Michigan) Cybersecurity 40 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Is the premium discount sufficient?
• Consider a non-financial technology service provider firm with annualrevenue $6M.
• Base premium bo = $7, 500.
• We will assume the firm is assessed with fo = 1.2.
• If the insurer sets f ′o = 0.35, the SP receives bo · 0.35 = $2, 625 indiscount.
• An IT security personnel with a BS degree, 5 years of experience,with salary of $85K:
$2625
$85000× 50 working weeks = 1.5 weeks
• Is this sufficient?
• Maybe yes, maybe no (it reduces the risk by 10−9 (model 2), 0.05(model 3)).
• Mismatch could stem from the loss functions.• Just as likely: base premiums are out of touch to begin with.
M. Liu (U. Michigan) Cybersecurity 40 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Is the premium discount sufficient?
• Consider a non-financial technology service provider firm with annualrevenue $6M.
• Base premium bo = $7, 500.
• We will assume the firm is assessed with fo = 1.2.
• If the insurer sets f ′o = 0.35, the SP receives bo · 0.35 = $2, 625 indiscount.
• An IT security personnel with a BS degree, 5 years of experience,with salary of $85K:
$2625
$85000× 50 working weeks = 1.5 weeks
• Is this sufficient?
• Maybe yes, maybe no (it reduces the risk by 10−9 (model 2), 0.05(model 3)).
• Mismatch could stem from the loss functions.• Just as likely: base premiums are out of touch to begin with.
M. Liu (U. Michigan) Cybersecurity 40 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Is the premium discount sufficient?
• Consider a non-financial technology service provider firm with annualrevenue $6M.
• Base premium bo = $7, 500.
• We will assume the firm is assessed with fo = 1.2.
• If the insurer sets f ′o = 0.35, the SP receives bo · 0.35 = $2, 625 indiscount.
• An IT security personnel with a BS degree, 5 years of experience,with salary of $85K:
$2625
$85000× 50 working weeks = 1.5 weeks
• Is this sufficient?
• Maybe yes, maybe no (it reduces the risk by 10−9 (model 2), 0.05(model 3)).
• Mismatch could stem from the loss functions.• Just as likely: base premiums are out of touch to begin with.
M. Liu (U. Michigan) Cybersecurity 40 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Is the premium discount sufficient?
• Consider a non-financial technology service provider firm with annualrevenue $6M.
• Base premium bo = $7, 500.
• We will assume the firm is assessed with fo = 1.2.
• If the insurer sets f ′o = 0.35, the SP receives bo · 0.35 = $2, 625 indiscount.
• An IT security personnel with a BS degree, 5 years of experience,with salary of $85K:
$2625
$85000× 50 working weeks = 1.5 weeks
• Is this sufficient?
• Maybe yes, maybe no (it reduces the risk by 10−9 (model 2), 0.05(model 3)).
• Mismatch could stem from the loss functions.• Just as likely: base premiums are out of touch to begin with.
M. Liu (U. Michigan) Cybersecurity 40 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Is the premium discount sufficient?
• Consider a non-financial technology service provider firm with annualrevenue $6M.
• Base premium bo = $7, 500.
• We will assume the firm is assessed with fo = 1.2.
• If the insurer sets f ′o = 0.35, the SP receives bo · 0.35 = $2, 625 indiscount.
• An IT security personnel with a BS degree, 5 years of experience,with salary of $85K:
$2625
$85000× 50 working weeks = 1.5 weeks
• Is this sufficient?• Maybe yes, maybe no (it reduces the risk by 10−9 (model 2), 0.05
(model 3)).
• Mismatch could stem from the loss functions.• Just as likely: base premiums are out of touch to begin with.
M. Liu (U. Michigan) Cybersecurity 40 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Is the premium discount sufficient?
• Consider a non-financial technology service provider firm with annualrevenue $6M.
• Base premium bo = $7, 500.
• We will assume the firm is assessed with fo = 1.2.
• If the insurer sets f ′o = 0.35, the SP receives bo · 0.35 = $2, 625 indiscount.
• An IT security personnel with a BS degree, 5 years of experience,with salary of $85K:
$2625
$85000× 50 working weeks = 1.5 weeks
• Is this sufficient?• Maybe yes, maybe no (it reduces the risk by 10−9 (model 2), 0.05
(model 3)).• Mismatch could stem from the loss functions.
• Just as likely: base premiums are out of touch to begin with.
M. Liu (U. Michigan) Cybersecurity 40 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Is the premium discount sufficient?
• Consider a non-financial technology service provider firm with annualrevenue $6M.
• Base premium bo = $7, 500.
• We will assume the firm is assessed with fo = 1.2.
• If the insurer sets f ′o = 0.35, the SP receives bo · 0.35 = $2, 625 indiscount.
• An IT security personnel with a BS degree, 5 years of experience,with salary of $85K:
$2625
$85000× 50 working weeks = 1.5 weeks
• Is this sufficient?• Maybe yes, maybe no (it reduces the risk by 10−9 (model 2), 0.05
(model 3)).• Mismatch could stem from the loss functions.• Just as likely: base premiums are out of touch to begin with.
M. Liu (U. Michigan) Cybersecurity 40 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Conclusion
A prediction framework for forecasting cybersecurity incidents
• Data sources, pre-processing, features, and training.
Cyber insurance policy design
• Steering insurance toward risk reduction in addition to risk transfer.
Key takeaway: counter to standard practice, by structuring a portfoliothat includes both service provider and its customers
• Security incentives offered to the SP are higher (relative to onlyinsuring the SP or only its customers).
• Overall risk of a loss for the SP and customers is lower.
• Carrier profits are higher.
• Social welfare is higher.
M. Liu (U. Michigan) Cybersecurity 41 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Conclusion
A prediction framework for forecasting cybersecurity incidents
• Data sources, pre-processing, features, and training.
Cyber insurance policy design
• Steering insurance toward risk reduction in addition to risk transfer.
Key takeaway: counter to standard practice, by structuring a portfoliothat includes both service provider and its customers
• Security incentives offered to the SP are higher (relative to onlyinsuring the SP or only its customers).
• Overall risk of a loss for the SP and customers is lower.
• Carrier profits are higher.
• Social welfare is higher.
M. Liu (U. Michigan) Cybersecurity 41 / 42
Intro Risk Quantification Policy Portfolio Examples Discussion
Acknowledgement
Work supported by the NSF and the DHS
• Y. Liu, A. Sarabi, J. Zhang, P. Naghizadeh, M. Karir, M. Bailey and M. Liu, “Cloudywith a Chance of Breach: Forecasting Cyber Security Incidents”, USENIX Security,August 2015, Washington, D. C.
• A. Sarabi, P. Naghizadeh, Y. Liu and M. Liu, “Prioritizing Security Spending: AQuantitative Analysis of Risk Distributions for Different Business Profiles”, WEIS, June2015, Delft University, The Netherlands; Journal of Cybersecurity, December 2016.
• P. Naghizadeh and M. Liu, “Inter-Temporal Incentives in Security Information SharingAgreements”, ITA, February 2016, San Diego, CA.
• M. Khalili, P. Naghizadeh and M. Liu, “Designing Cyber Insurance Policies: The Role ofPre-Screening and Security Interdependence”, NetEcon, 2017; IEEE Trans. InformationForensics & Security (TIFS), February 2018.
• M. Khalili, M. Liu, and S. Romanosky, “Embracing and Controlling Risk Dependency inCyber-Insurance Policy Underwriting”, Workshop on the Economics of InformationSecurity (WEIS), June 2018, Innsbruck, Austria. To appear in Journal of Cybersecurity.
• A. Sarabi and M. Liu, “Characterizing the Internet Host Population Using Deep Learning: AUniversal and Lightweight Numerical Embedding”, International Measurement Conference(IMC), October 2018, Boston, MA.
M. Liu (U. Michigan) Cybersecurity 42 / 42
